request-tracker4 - Debian Package Tracker

general

source: request-tracker4 (main)
version: 4.4.7+dfsg-4
maintainer: Debian Request Tracker Group (archive) (DMD)
uploaders: Andrew Ruthven [DMD] – Niko Tyni [DMD] – Dominic Hargreaves [DMD]
arch: all
std-ver: 4.7.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 4.4.4+dfsg-2+deb11u3
o-o-sec: 4.4.4+dfsg-2+deb11u5
oldstable: 4.4.6+dfsg-1.1+deb12u3
old-sec: 4.4.6+dfsg-1.1+deb12u3
unstable: 4.4.7+dfsg-4

versioned links

4.4.4+dfsg-2+deb11u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.4.4+dfsg-2+deb11u5: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.4.6+dfsg-1.1+deb12u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.4.7+dfsg-4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

request-tracker4 (10 bugs: 1, 5, 4, 0)
rt4-apache2
rt4-clients (3 bugs: 0, 0, 3, 0)
rt4-db-mysql
rt4-db-postgresql
rt4-db-sqlite
rt4-doc-html (1 bugs: 0, 0, 1, 0)
rt4-fcgi
rt4-standalone

action needed

Problems while searching for a new upstream version high

uscan had problems while searching for a new upstream version:

In debian/watch no matching files for watch source
  https://bestpractical.com/download-page

Created: 2025-11-26 Last update: 2026-05-22 19:30

A new upstream version is available: 4.4.9 high

A new upstream version 4.4.9 is available, you should consider packaging it.

Created: 2025-11-26 Last update: 2026-05-22 19:30

10 security issues in sid high

There are 10 open security issues in sid.

10 important issues:

CVE-2025-2545: Vulnerability in Best Practical Solutions, LLC's Request Tracker prior to v5.0.8, where the Triple DES (3DES) cryptographic algorithm is used to protect emails sent with S/MIME encryption. Triple DES is considered obsolete and insecure due to its susceptibility to birthday attacks, which could compromise the confidentiality of encrypted messages.
CVE-2026-6841: Request Tracker is vulnerable to a reflected cross-site scripting (XSS) vulnerability via the "Page" parameter in GET requests. An attacker can craft a URL that, when opened, results in arbitrary JavaScript execution in the victim’s browser. This vulnerability affects versions from 5.0.4 up to 5.0.9 and from 6.0.0 up to 6.0.2.
CVE-2025-30087: Best Practical RT (Request Tracker) 4.4 through 4.4.7 and 5.0 through 5.0.7 allows XSS via injection of crafted parameters in a search URL.
CVE-2025-61873: Best Practical Request Tracker (RT) before 4.4.9, 5.0.9, and 6.0.2 allows CSV Injection via ticket values when TSV export is used.
CVE-2026-41073:
CVE-2026-41075:
CVE-2026-41076:
CVE-2026-44227:
CVE-2026-44229:
CVE-2026-44231:

Created: 2025-04-29 Last update: 2026-05-22 05:00

7 security issues in bullseye high

There are 7 open security issues in bullseye.

7 important issues:

CVE-2026-6841: Request Tracker is vulnerable to a reflected cross-site scripting (XSS) vulnerability via the "Page" parameter in GET requests. An attacker can craft a URL that, when opened, results in arbitrary JavaScript execution in the victim’s browser. This vulnerability affects versions from 5.0.4 up to 5.0.9 and from 6.0.0 up to 6.0.2.
CVE-2026-41073:
CVE-2026-41075:
CVE-2026-41076:
CVE-2026-44227:
CVE-2026-44229:
CVE-2026-44231:

Created: 2026-05-20 Last update: 2026-05-22 05:00

7 security issues in bookworm high

There are 7 open security issues in bookworm.

7 important issues:

CVE-2026-6841: Request Tracker is vulnerable to a reflected cross-site scripting (XSS) vulnerability via the "Page" parameter in GET requests. An attacker can craft a URL that, when opened, results in arbitrary JavaScript execution in the victim’s browser. This vulnerability affects versions from 5.0.4 up to 5.0.9 and from 6.0.0 up to 6.0.2.
CVE-2026-41073:
CVE-2026-41075:
CVE-2026-41076:
CVE-2026-44227:
CVE-2026-44229:
CVE-2026-44231:

Created: 2026-05-20 Last update: 2026-05-22 05:00

lintian reports 2 errors high

Lintian reports 2 errors about this package. You should make the package lintian clean getting rid of them.

Created: 2026-04-09 Last update: 2026-04-09 07:01

2 bugs tagged patch in the BTS normal

The BTS contains patches fixing 2 bugs, consider including or untagging them.

Created: 2026-04-06 Last update: 2026-05-22 23:31

The package has not entered testing even though the delay is over normal

The package has not entered testing even though the 5-day delay is over. Check why.

Created: 2026-04-13 Last update: 2026-05-22 20:33

RM: This package has been requested to be removed. normal

This package has been requested to be removed. This means that, when this request gets processed by an ftp-master, this package will no longer be in unstable, and will automatically be removed from testing too afterwards. If for some reason you want keep this package in unstable, please discuss so in the bug. Please see bug number #1134418 for more information.

Created: 2026-05-21 Last update: 2026-05-21 23:01

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.4 instead of 4.7.0).

Created: 2025-02-21 Last update: 2026-03-31 15:01

testing migrations

excuses:
- Migration status for request-tracker4 (- to 4.4.7+dfsg-4): BLOCKED: Rejected/violates migration policy/introduces a regression
- Issues preventing migration:
- ∙ ∙ Updating request-tracker4 would introduce bugs in testing: #1030749, #1103555, #1104424, #1120003
- Additional info (not blocking):
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/r/request-tracker4.html
- ∙ ∙ Autopkgtest for request-tracker4/4.4.7+dfsg-4: amd64: No tests, superficial or marked flaky ♻, arm64: No tests, superficial or marked flaky ♻, i386: No tests, superficial or marked flaky ♻, ppc64el: No tests, superficial or marked flaky ♻, riscv64: No tests, superficial or marked flaky ♻, s390x: No tests, superficial or marked flaky ♻
- ∙ ∙ Reproduced on amd64 - info
- ∙ ∙ Reproduced on arm64 - info
- ∙ ∙ Reproduced on armhf - info
- ∙ ∙ Reproduced on i386 - info
- ∙ ∙ 518 days old (needed 5 days)
- Not considered

news

[rss feed]

[2025-11-01] Accepted request-tracker4 4.4.6+dfsg-1.1+deb12u3 (source all) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Andrew Ruthven)
[2025-10-26] Accepted request-tracker4 4.4.4+dfsg-2+deb11u5 (source) into oldoldstable-security (Andrew Ruthven) (signed by: Thorsten Alteholz)
[2025-10-22] Accepted request-tracker4 4.4.6+dfsg-1.1+deb12u3 (source all) into oldstable-security (Debian FTP Masters) (signed by: Andrew Ruthven)
[2025-05-07] Accepted request-tracker4 4.4.4+dfsg-2+deb11u4 (source) into oldstable-security (Andrew Ruthven)
[2025-05-03] Accepted request-tracker4 4.4.6+dfsg-1.1+deb12u2 (source) into proposed-updates (Debian FTP Masters) (signed by: Andrew Ruthven)
[2025-04-30] Accepted request-tracker4 4.4.6+dfsg-1.1+deb12u2 (source) into stable-security (Debian FTP Masters) (signed by: Andrew Ruthven)
[2025-04-11] request-tracker4 REMOVED from testing (Debian testing watch)
[2024-12-26] request-tracker4 4.4.7+dfsg-4 MIGRATED to testing (Debian testing watch)
[2024-12-21] Accepted request-tracker4 4.4.7+dfsg-4 (source) into unstable (Andrew Ruthven)
[2024-10-03] request-tracker4 4.4.7+dfsg-3 MIGRATED to testing (Debian testing watch)
[2024-09-27] Accepted request-tracker4 4.4.7+dfsg-3 (source) into unstable (Andrew Ruthven)
[2024-08-18] request-tracker4 4.4.7+dfsg-2 MIGRATED to testing (Debian testing watch)
[2024-08-13] Accepted request-tracker4 4.4.7+dfsg-2 (source) into unstable (Andrew Ruthven)
[2024-06-06] request-tracker4 4.4.7+dfsg-1.1 MIGRATED to testing (Debian testing watch)
[2024-05-31] Accepted request-tracker4 4.4.7+dfsg-1.1 (source) into unstable (Chris Hofstaedtler) (signed by: Christian Hofstaedtler)
[2023-11-07] Accepted request-tracker4 4.4.4+dfsg-2+deb11u3 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Andrew Ruthven)
[2023-11-04] Accepted request-tracker4 4.4.6+dfsg-1.1+deb12u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Andrew Ruthven)
[2023-10-31] request-tracker4 4.4.7+dfsg-1 MIGRATED to testing (Debian testing watch)
[2023-10-30] Accepted request-tracker4 4.4.3-2+deb10u3 (source) into oldoldstable (Andrew Ruthven)
[2023-10-30] Accepted request-tracker4 4.4.6+dfsg-1.1+deb12u1 (source) into stable-security (Debian FTP Masters) (signed by: Andrew Ruthven)
[2023-10-30] Accepted request-tracker4 4.4.4+dfsg-2+deb11u3 (source) into oldstable-security (Debian FTP Masters) (signed by: Andrew Ruthven)
[2023-10-29] Accepted request-tracker4 4.4.7+dfsg-1 (source) into unstable (Andrew Ruthven)
[2023-10-10] request-tracker4 4.4.6+dfsg-2 MIGRATED to testing (Debian testing watch)
[2023-10-10] request-tracker4 4.4.6+dfsg-2 MIGRATED to testing (Debian testing watch)
[2023-10-05] Accepted request-tracker4 4.4.6+dfsg-2 (source) into unstable (Andrew Ruthven)
[2023-03-08] request-tracker4 4.4.6+dfsg-1.1 MIGRATED to testing (Debian testing watch)
[2023-02-25] Accepted request-tracker4 4.4.6+dfsg-1.1 (source) into unstable (Adrian Bunk)
[2022-07-22] request-tracker4 4.4.6+dfsg-1 MIGRATED to testing (Debian testing watch)
[2022-07-19] Accepted request-tracker4 4.4.6+dfsg-1 (source) into unstable (Andrew Ruthven)
[2022-07-15] Accepted request-tracker4 4.4.3-2+deb10u2 (source) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Debian FTP Masters) (signed by: Dominic Hargreaves)

bugs [bug history graph]

all: 20
RC: 2
I&N: 7
M&W: 9
F&P: 2
patch: 2

links

homepage
lintian (2, 0)
buildd: logs
popcon
browse source code
other distros
security tracker
screenshots
l10n (98, 61)
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 4.4.7+dfsg-4syncable1
13 bugs